Somehow the general infrastructure stays 'borked', Microsoft for instance not acting against audio-eavesdropping by microphone and certain surveillance parties blaming Kaspersky's for doin'g so. Double standards rule and political bias is taken as the red herring.

The provided 0-day holes are so-called "features", those that wanna protect you against it are portrayed as 'evildoers'.

Those that matter do not listen, those in the know do not matter, so everything stays "borked" as pre-designed.

polonus (volunteer website security analyst and website error-hunter)

Logged

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

The whole thing with certificates should be about "trust", but it is all only about the money, and trust here is a secondary issue.Moreover 90% of users do not have an idea why they should trust a green padlock inside their browser or not.

With such an action both Google and Symantec protect themselves against loss of money, as certificates do not loose their value immediately, so expensive certificates are not turned into worthless ones. Taking months for all of this to happen, Google can put the blame at certification not being renewed within time, and prevents both Google and Symantec against loosing money.

The old infrastructure is not failing because of a newer infrastructure being introduced. Otherwise we would have had a real "trust" crisis, and users would not trust certification like in the past. Browsers, CA vendors, accountants all profit from/depend on the financial position of this CA system, so when you can no longer visit a particular website iside the browser, vendors loose money and new buyers stay away. Whit a multi-billion system no one wants to loose money when a CA or an accountant is not performing as it should.

As polonus sees it, the Internet infrastructure as such is experiencing the greatest trust crisis of all times. Only most are not aware of ehat is happening, and some even do not care.

It is all about the status-quo between those that want to keep the infrastructure secure and those that wanna keep it zero-holed to quite an extent. It is a very, very difficult balancing act all the way,

polonus (volunteer website security analyst and website error-hunter)

Logged

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Due to the Symantec and DigiCert uncertainty seen from how Google handles it, also while Comodo, one of the big players here, has sold it's Certification Division to Fransisco Partners, that will later come up with another name for that Cert. Division to be known under.

Simply copying an authenticode signature from a legitimate file to a known malware sample in some cases could do the trickwith 34 av solutions affected. (The affected AVs are listed in Table 3 in the paper referenced in the article (at http://www.umiacs.umd.edu/~tdumitra/papers/CCS-2017.pdf ).).See: -https://github.com/HackerFantastic/Public/blob/master/tools/bypassavp.sh